CVE-2006-5634
published 2006-11-01CVE-2006-5634: Multiple PHP remote file inclusion vulnerabilities in phpProfiles 2.1 Beta allow remote attackers to execute arbitrary PHP code via a URL in the (1) reqpath…
PriorityP339medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
6.07%
92.5th percentile
Multiple PHP remote file inclusion vulnerabilities in phpProfiles 2.1 Beta allow remote attackers to execute arbitrary PHP code via a URL in the (1) reqpath parameter to (a) body.inc.php and (b) body_blog.inc.php in users/include/; or the (2) usrinc parameter in users/include/upload_ht.inc.php.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpprofiles | phpprofiles | <= 3.1.2b | — |
| phpprofiles | phpprofiles | <= 2.1_beta | — |
| phpprofiles | phpprofiles | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
phpProfiles body_blog.inc.php reqpath code injection (EDB-2688 / XFDB-29900)
vuldb·2026-04-26·CVSS 6.8
CVE-2006-5634 [MEDIUM] phpProfiles body_blog.inc.php reqpath code injection (EDB-2688 / XFDB-29900)
A vulnerability, which was classified as critical, has been found in phpProfiles. The affected element is an unknown function of the file body_blog.inc.php. The manipulation of the argument reqpath leads to code injection.
This vulnerability is uniquely identified as CVE-2006-5634. The attack is possible to be carried out remotely. Moreover, an exploit is present.
VulDB
phpProfiles 2.1 Beta body.inc.php usrinc code injection (EDB-2688 / XFDB-29900)
vuldb·2026-04-26·CVSS 6.8
CVE-2006-5634 [MEDIUM] phpProfiles 2.1 Beta body.inc.php usrinc code injection (EDB-2688 / XFDB-29900)
A vulnerability, which was classified as critical, has been found in phpProfiles 2.1 Beta. Affected by this vulnerability is an unknown functionality of the file body.inc.php of the component Profiles. This manipulation of the argument usrinc causes code injection.
This vulnerability is registered as CVE-2006-5634. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
VulDB
phpProfiles upload_ht.inc.php usrinc privileges management (EDB-2688 / XFDB-29900)
vuldb·2026-04-26·CVSS 6.8
CVE-2006-5634 [MEDIUM] phpProfiles upload_ht.inc.php usrinc privileges management (EDB-2688 / XFDB-29900)
A vulnerability, which was classified as critical, was found in phpProfiles. The impacted element is an unknown function of the file upload_ht.inc.php. The manipulation of the argument usrinc results in improper privilege management.
This vulnerability was named CVE-2006-5634. The attack needs to be approached locally. In addition, an exploit is available.
GHSA
GHSA-6wxw-4hv5-jw85: Multiple PHP remote file inclusion vulnerabilities in phpProfiles 3
ghsa_unreviewed·2022-05-01·CVSS 6.8
CVE-2006-6740 [MEDIUM] CWE-94 GHSA-6wxw-4hv5-jw85: Multiple PHP remote file inclusion vulnerabilities in phpProfiles 3
Multiple PHP remote file inclusion vulnerabilities in phpProfiles 3.1.2b and earlier allow remote attackers to execute arbitrary PHP code via a URL in the menu parameter to (1) include/body.inc.php or (2) include/body_admin.inc.php; or a URL in the incpath parameter to (3) index.inc.php, (4) account.inc.php, (5) admin_newcomm.inc.php, (6) header_admin.inc.php, (7) header.inc.php, (8) friends.inc.php, (9) menu_u.inc.php, (10) notify.inc.php, (11) body.inc.php, (12) body_admin.inc.php, (13) commrecc.inc.php, (14) do_reg.inc.php, (15) comm_post.inc.php, or (16) menu_v.inc.php in include/, different vectors than CVE-2006-5634. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
GHSA
GHSA-5ppw-v8m5-xww6: Multiple PHP remote file inclusion vulnerabilities in phpProfiles 2
ghsa_unreviewed·2022-05-01
CVE-2006-5634 [MEDIUM] CWE-94 GHSA-5ppw-v8m5-xww6: Multiple PHP remote file inclusion vulnerabilities in phpProfiles 2
Multiple PHP remote file inclusion vulnerabilities in phpProfiles 2.1 Beta allow remote attackers to execute arbitrary PHP code via a URL in the (1) reqpath parameter to (a) body.inc.php and (b) body_blog.inc.php in users/include/; or the (2) usrinc parameter in users/include/upload_ht.inc.php.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/22644http://www.osvdb.org/30137http://www.osvdb.org/30138http://www.osvdb.org/displayvuln.php?osvdb_id=30136http://www.securityfocus.com/bid/20819http://www.vupen.com/english/advisories/2006/4274https://exchange.xforce.ibmcloud.com/vulnerabilities/29900https://www.exploit-db.com/exploits/2688http://secunia.com/advisories/22644http://www.osvdb.org/30137http://www.osvdb.org/30138http://www.osvdb.org/displayvuln.php?osvdb_id=30136http://www.securityfocus.com/bid/20819http://www.vupen.com/english/advisories/2006/4274https://exchange.xforce.ibmcloud.com/vulnerabilities/29900https://www.exploit-db.com/exploits/2688
2006-11-01
Published